Rodrigo Campos [Fri, 27 Feb 2026 17:10:40 +0000 (18:10 +0100)]
portable: Add ExtensionImage drop-in for any extension
Before this patch, when running:
portablectl attach --extension ext.raw ./base.raw
No drop-in is added for the "ExtensionImages" if there aren't units from
the extension loaded.
But the extension can just overlay files, as in my case. So before this
patch, I also need to manually add a drop-in with "ExtensionImages=" for
it to really be loaded.
Let's just always add the drop-in for extensions. This way, it works for
extensions that just overlay files too.
Please note this commit just removes the if (simpler to view the diff
with git show -w). Also, the if checked for m->image_path being not
NULL, but removing it shouldn't cause a NULL pointer dereference.
Because m->image_path is not used inside the if (it was needed just for
the if itself) and image_path is asserted at the beginning of the
function to be non-NULL too.
This was like this since the beginning of time in 907952bbc9
("portabled: add --extension parameter for layered images support")
Yu Watanabe [Mon, 2 Mar 2026 14:09:19 +0000 (23:09 +0900)]
login: fix two io.systemd.Login Varlink IDL issues (#40857)
Add missing NoSessionPIDFD error to the interface definition; the error
is emitted by vl_method_create_session() when the session leader process
does not have a pidfd available, but was never declared in the IDL.
Drop SD_JSON_MANDATORY from the ReleaseSession.Id dispatch entry so that
omitting the field (which the IDL allows via SD_VARLINK_NULLABLE)
resolves to the caller's own session via session_is_self(NULL).
noxiouz [Mon, 2 Mar 2026 10:04:37 +0000 (10:04 +0000)]
login: fix ReleaseSession.Id dispatch flag in io.systemd.Login Varlink handler
The ReleaseSession method's Id field is declared as nullable (?string) in
the IDL, allowing callers to omit it so that the method releases the
caller's own session via session_is_self(NULL). The SD_JSON_MANDATORY flag
in the dispatch table contradicts this and makes omitting Id return -EINVAL
("Invalid argument", parameter "Id") instead.
Drop the flag so omitting Id is treated as passing NULL.
Mike Yuan [Thu, 19 Feb 2026 23:14:19 +0000 (00:14 +0100)]
pidref: do not tamper with pidref_acquire_pidfd_id() retval
If a pidfd id is passed to us, it must have originated from
somewhere, i.e. pidfs should be supported on the system.
Hence let's be honest about -EOPNOTSUPP, which might indicate
some bigger problems under the hood, rather than allowing
it to be turned into mild -ESRCH.
Anton Tiurin [Mon, 2 Mar 2026 04:44:26 +0000 (04:44 +0000)]
resolved: use DNS_TYPE_DNSKEY for trust anchor support (#40850)
Fix typo: DNS_TYPE_DNSKEY should be used instead of DNS_TYPE_KEY.
- DNS_TYPE_KEY is deprecated
- Source code at resolved-dns-trust-anchor.c#L313 handles
DNS_TYPE_DNSKEY records, but not DNS_TYPE_KEY
So DNS_TYPE_KEY is not referenced anywhere
Anton Tiurin [Mon, 2 Mar 2026 04:22:14 +0000 (04:22 +0000)]
resolve: add missing ServiceNotProvided error to Varlink IDL (#40858)
The error is emitted by `vl_method_resolve_service_complete()` when an
SRV record with a root domain hostname is found, indicating the service
is explicitly not offered on the queried domain (RFC 2782 Usage Rules),
but was not declared in the `io.systemd.Resolve` interface definition.
Yu Watanabe [Mon, 2 Mar 2026 03:40:40 +0000 (12:40 +0900)]
cryptsetup: fix 'tpm2-primary-alg' information in 'cryptsetup luksDump' (#40872)
It was noticed that cryptsetup luksDump outputs
tpm2-primary-alg: ecc
regardless of the actual primary key type. Namely, in the situation when
RSA SRK is passed to 'systemd-cryptenroll', the output is incorrect and
misleading. Turns out 'tpm2-primary-alg' is not currently used for
unsealing as 'tpm2_srk' object has it in its properties but the
misleading information problem stays.
Fix the issue with a two-fold fix:
- Put the SRK primary alg type to the JSON token so 'cryptsetup
luksDump' has a chance to actually print the right information without
the need to inspect SRK.
- Avoid printing 'tpm2-primary-alg' when it is unset in the JSON as the
default 'ECC' may not match the reality.
No real functional change for the sealing/unsealing expected.
Val Markovic [Mon, 2 Mar 2026 03:38:35 +0000 (04:38 +0100)]
man: improve documentation for RestartSteps (#40879)
I found the existing explanation of RestartSteps to be simply
impenetrable. Even providing the full docs context to several of our new
AI overlords resulted in wildly different (and completely incorrect)
explanations of the final restart intervals.
Digging through the code, I found the restart delay computation in
`service_restart_usec_next` in `src/core/service.c`.
I've updated the documentation for RestartSteps with an example,
suggested value range and a detailed enough explanation that accurately
describes the current behavior.
The kfd device is used for running compute workloads on AMD
GPUs. Users that are logged in should be able to run compute
so tag them like other DRM and ACCEL devices are.
IntenseWiggling [Mon, 2 Mar 2026 03:31:29 +0000 (22:31 -0500)]
hwdb: add one more USB ID for 3D Connexion SpaceMouse Wireless BT (#40890)
The 3D Connexion SpaceMouse Wireless BT (256f:c63a) has an entry in
`70-mouse.hwdb` already as a bluetooth device, but it can also be
connected as a USB device.
Mike Yuan [Fri, 27 Feb 2026 11:11:33 +0000 (12:11 +0100)]
core/exec-invoke: make fd array sizing less error-prone
History has clearly shown that we're terrible at keeping
the size of the dont_close array up-to-date. Hence let's
step away from a hardcoded max size for that, instead
always collect all fds in the array initializer and
let compiler figure it out, taking advantage of the fact
that close_all_fds() gracefully handles invalid fds in
the 'except' array.
It is part of the keep_fds array already, which is intended
for fds that need to survive until the very end of executor
runtime, i.e. across the second close_all_fds() call.
Mike Yuan [Sat, 28 Feb 2026 21:48:14 +0000 (22:48 +0100)]
core/exec-invoke: fix potential double close of socket/bpffs fds on failure
The owned fds should be closed before close_all_fds() along the lines
of exec_params/runtime_close(), otherwise they would be left dangling
afterwards.
Luca Boccassi [Fri, 27 Feb 2026 17:27:30 +0000 (17:27 +0000)]
Translations update from Fedora Weblate (#40876)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Vitaly Kuznetsov [Fri, 27 Feb 2026 13:20:20 +0000 (14:20 +0100)]
cryptsetup-tokens: Print tpm2-primary-alg: only when it is known
When 'tpm2-primary-alg' is missing in LUKS JSON token, the output of
'cryptsetup luksDump' is always:
tpm2-primary-alg: ecc
because tpm2_parse_luks2_json() returns the default (TPM2_ALG_ECC). This can be
misleading and wrong. Make tpm2_parse_luks2_json() return the reality and move
the default to tpm2_unseal().
Vitaly Kuznetsov [Fri, 27 Feb 2026 12:46:07 +0000 (13:46 +0100)]
cryptenroll: Save primary algorithm type to the LUKS token
'tpm2-primary-alg' field is currently unset in LUKS JSON token both for the
case when SRK was used for enrolling (--tpm2-device-key=) and for the case when
SRK was obtained/generated (--tpm2-device=). While this information is not
really needed for unsealing (the sealed object itself has key type in it), it
may be convenient to see key type in e.g. 'cryptsetup luksDump' in the
situations where key type matters. Since 'tpm2-primary-alg' is already defined,
just set it properly in all cases.
Add the missing 'mstack' value to the ImageType enum in the
io.systemd.sysext Varlink IDL — image_type_table in discover-image.c
already defines IMAGE_MSTACK = "mstack" but it was absent from the IDL.
Export vl_type_ImageType so the test can reference it, and add
TEST_IDL_ENUM(ImageType, ...) to the enums_idl test to catch
similar regressions in the future.
noxiouz [Fri, 27 Feb 2026 00:02:12 +0000 (00:02 +0000)]
import: fix AlreadyInProgress Varlink error missing remote field
The handler sends the remote URL as a parameter via sd_varlink_errorbo()
but the IDL declared the error with no fields, making the payload
undiscoverable via introspection.
Luca Boccassi [Thu, 26 Feb 2026 14:47:39 +0000 (14:47 +0000)]
Translations update from Fedora Weblate (#40842)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
core/socket: fix reversed symlink direction in error message
After the update to 260-rc1 in Fedora Rawhide, we get a lot of messages like
this:
systemd[1]: systemd-resolved-monitor.socket:
Failed to create symlink /run/systemd/resolve/io.systemd.Resolve.Monitor →
/run/varlink/registry/io.systemd.Resolve.Monitor, ignoring: Permission denied
The actual issue will need to be fixed too, but let's fix the message first.
While at it, let's rename the variables to be meaningful.
Luca Boccassi [Wed, 25 Feb 2026 23:12:28 +0000 (23:12 +0000)]
mkosi: explicitly add mount package to build image
Some dependency changed in testing and it's not pulled in anymore:
‣ Running build script /home/runner/work/systemd/systemd/mkosi/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.build.chroot…
/work/build-script: line 35: mount: command not found
‣ /work/build-script failed with non-zero exit code 127
‣ (Maybe a program was not found or the script interpreter (e.g. bash) is not installed?)
FAILED: [code=127] mkosi
Luca Boccassi [Tue, 24 Feb 2026 21:09:26 +0000 (21:09 +0000)]
Install hwids in /usr/lib/systemd/boot/hwids/<EFI_ARCH>/
These are meant to ship with ukify, in the same package,
so install them when ukify is enabled. Given they are
hardware-specific, use a per-arch subdirectory to make it
easier to enable them by default in ukify.
Tobias Heider [Mon, 2 Feb 2026 11:08:46 +0000 (12:08 +0100)]
boot: import Snapdragon device hwid json files
Add hwids json files for Snapdragon devices that use of this
feature since they don't ship with devie trees embedded in firmware.
The json files were originally generated for Ubuntu stubble and
are kown to work since they ship in all Ubuntu arm64 ISOs by default.
Some of the devices might not be supported in mainline Linux yet
and use preliminary compatible strings.
* 23a1c1fed9 Install /usr/lib/systemd/boot/hwids/ in ukify package
* 985170fdc6 Version 259.1
* 2e10d7da1e Revert getty changes a bit harder
* 96c683c3de Revert all remaing changes to getty@.service
* 24a305a398 Revert to previous handling of getty@.service
* 6a500eb814 Create getty@tty1.service again and move autovt@.service alias to /usr/lib
* 88bd4ab206 Properly enable systemd-tmpfiles-clear.service in scriptlets
* d9f3f02206 Raise the number of placeholder sections in kernel and addon stubs
* e301db0151 Stop enabling getty@tty1.service
* a1c33507a2 Fix unit names in systemd-udev scriptlet
* b7b3e024d6 Enable getty@.service through presets
* ec5e1b1ed7 Move tpm2 and getty support to -udev subpackage
* 9c9976a7f8 Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* f353d244fd Add 2 patches for automatic aarch64 DTB selection change
* 399885597c Revert "Disable sysinit-path for upstream builds"
projects / thirdparty / systemd.git / log
